b' DOE F 1325.8\n    (B.89)\n  EFO (07-90)\n                                                                                         Department of Energ\nUnited States Government\n\nMemorandum\n     DATE:\n                  SEP 24 20t\n REPLY TO:      IG-34 (A04TG032)                                       Audit Report No.: OAS-L-04-21\n\n  SUBJECT:      Evaluation of "The Federal Energy Regulatory Commission\'s Cyber Security Program - 2004"\n\n         TO:    Chairman, Federal Energy Regulatory Commission\n\n                                                                                                    of the\n                The purpose of this report is to inform you of the results of our annual evaluation\n                Federal Energy Regulatory Commission\'s unclassified cyber security program. This\n                evaluation was initiated in June 2004 and our field work was conducted through September\n                2004. The evaluation methodology is described in the attachment to this report.\n\n                Introduction and Objective\n\n                The Commission\'s increasing reliance on information technology (IT) is consistent with\n                satisfying the President\'s Management Agenda initiative of expanding electronic\n                government. The Commission expects to invest $23.5 million on IT related activities in\n                Fiscal Year 2004 to meet mission requirements of regulating interstate transmission of\n                natural gas, oil and electricity, and regulating gas and hydropower projects.\n\n                 As required by the Federal Information Security Management Act (FISMA) and the Office of\n                 Management and Budget (OMB) implementing guidance, the Office of Inspector General\n                 (OIG) performed an independent evaluation to determine whether the Commission\'s\n                 unclassified cyber security program protected data and information systems.\n\n                 Conclusions and Observations\n\n                 Our evaluation revealed that the Commission had made a number of improvements in its\n                 unclassified cyber security program. For instance, we found that the Commission had:\n\n                     * Finalized a certification and accreditation methodology in March 2004 and recently\n                       completed the certification and accreditation process for all major applications and\n                       general support systems;\n\n                     * Developed system-level contingency plans for all major systems; and,\n\x0c                                                -2-\n\n                                                                 (NIST) Security\n   * Utilized the National Institute of Standards and Technology\n     Self-Assessment Guide for IT Systems.\n                                                                           security program.\nThe above actions should continue to strengthen the Commission\'s cyber\n                                                  completely  tested only one of five\nHowever, we observed that the Commission had\n                                                             Commission    used the NIST risk\nsystem-level contingency plans. Additionally, although the                      tailored to its\nassessment methodology, it had yet to finalize a risk assessment methodology\n                                                                            organization and\nneeds--a key step in determining current security vulnerabilities within an\n                                                                     ongoing initiatives should\nimplementing mitigating controls. Successful completion of these\nhelp correct remaining cyber security problems at the Commission.\n\nSince no recommendations are being made in this letter report, a formal response is not\nrequired. We appreciate the cooperation of your staff throughout the audit.\n\n\n\n                                               rge . Collard, Acting Director\n                                           Science, Energy, Technology,\n                                             and Financial Audits\n                                           Office of Audit Services\n                                           Office of Inspector General\n\n Attachment\n\n cc:     Executive Director, FERC\n         Chief of Staff, DOE\n         Chief Information Officer, DOE\n\x0c                                                                                   Attachment\n\n\n\nSCOPE AND METHODOLOGY\n                                                   September 2004. We evaluated controls\nWe performed our evaluation between June and              of access controls related to\nover network operations to determine the effectiveness\n                                                          internal and external sources. The\nsafeguarding information resources from unauthorized               controls in areas such as\nevaluation included a limited review of general and application                       and change\ncertification and accreditation, access controls, application software development\ncontrols, and contingency planning.\n                                                                          regulations\nWe satisfied our evaluation objective by reviewing applicable laws and\n                                                                    such as FISMA and 0MB\npertaining to cyber security and information technology resources,\nCircular A-130 (Appendix II), and reviewing the Commission\'s overall cyber security and\n                                                                     applicable standards\nprogram management, policies, and procedures. We also reviewed\n                                                                           The Commission\'s\nguidance issued by the National Institute of Standards and Technology.\n                                                      annual audit of the  Department\'s\nheadquarters were evaluated in conjunction with the\n                                                                                 the Office of\nConsolidated Financial Statements, utilizing work performed by KPMG LLP,\n                                                                                  testing of\nInspector General contract auditor. Their review included limited analysis and of\n                                                                      of the status\n general and application controls for systems and a follow up review\n previously reported weaknesses.\n                                                                                       Results Act\n We evaluated the Commission\'s implementation of the Government Performance\n                                                                            security. We did not\n of 1993 related to the establishment of performance measures for cyber\n                                                                               our review was\n rely solely on computer-processed data to satisfy our objectives. Because\n limited, it would not have necessarily disclosed all internal control deficiencies that may have\n existed at the time of our review.\n\n  The review was conducted in accordance with generally accepted Government auditing\n                                                                                          with\n  standards for performance audits and included tests of internal controls and compliance\n                                                              objectives. We held an exit\n  laws and regulations to the extent necessary to satisfy the\n  conference with management officials on September 23, 2004.\n\x0c10/01/04        07:48 FAX 301 903 4656                CAPITAL REGION              -+ FORS FIVEA                 0001\n\n\n\nDOE F 1325.8\n(08-93)\nUnited States Government                                                           Department of Energy\n\n\nMemorandum\n        DATE:       SEP 30 2004\n    REPLY TO\n     ATTN OF:     IG-34 (A04TG032)\n\n    SUBJECT:      Final Report Package for Evaluation of "The Federal Energy Regulatory Commission\'s\n                  Cyber Security Program - 2004" Audit Report Number: OAS-L-04-21\n          TO:     Rickey R. Hass, Assistant Inspector General for Audit Operations\n\n\n                  Attached is the required final report package on the subject audit. The pertinent details are:\n                  1. Actual Staff days:          67\n                      Actual Elapsed days:       95                                        .\n\n                  2. Names of OIG and/or contractor audit staff:\n                      Assistant Director:        Kevin Majane                                  r\\         S"L\n                      Team Leader:               Dan Weeber\n                      Auditor-in-Charge:         Heather Lego                                       .   r\xc3\xbdOCL\n                      Audit Staff:               Mary Anthony and Chari Reines\n\n                   3. Coordination with Investigations and Inspections:\n                      Investigations:            Reginald France\n                                                 June 1, 2004\n                      Inspections:               Fatima Pashaei\n                                                 June 1, 2004\n\n\n\n                                                               rge   Collard, Acting irector\n                                                         Science, Energy, Technology,\n                                                           and Financial Audits\n                                                         Office of Audit Services\n                                                         Office of Inspector General\n                   Attachments:\n                   1. Final Report\n                   2. Monetary Impact Report\n                   3. Audit Project Summary Report\n                   4. Audit Database Information Sheet\n\x0c.10/01/04 .. 07:48 FAX 301      903 4656                     CAPITAL REGION                    .   FORS FIVEA                     91f003\n\n\n\n\n                       MONETARY IMPACT OF REPORT NO.: OAS-L-04-21\n\n\n1. Title of Audit:     Evaluation of "The Federal Energy Regulatory Commission\'s Cyber\n                       Security Program -2004"\n\n2. Division:           Science, Energy. Technology, and Financial Audits Division\n\n3. Project No.:        A04TG032\n\n4. Type of Audit:\n\n      Financial:                                             Performance:       X\n         Financial Statement                                   Economy and Efficiency                    X\n         Financial Related                                     Program Results\n      Other (specify type):\n\n5. Please report monetary savings identified in the report using applicable columns. Provide additional\nexplanations of audited activities/locations in Section No. 6 - Remarks.\n                                                                                                      MGT.            POTENTIAL\n         FINDING                 COST                           QUESTIONED COSTS                    POSITION           BUDGET\n                               AVOIDANCE                                                                               IMPACT\n(A)            (B)            (C)      (D)             (E)         (F)     (G)          (H)              (1)             (J)\n               Title          One    Recurring     Questioned    Unsup-   Unre-        Total        C=Concur            Y=Yes\n                              Time   Amount                      ported   solved    (E)+(F)+(G)     N=Noncon            N=No\n                                     PerYear                                                         U=Undec\n\n      None\n\n\n\nTOTALS-ALL FINDINGS                            _______::                                            :.:...:.:"...::\n\n\n\n\n6. Remarks: Audit report contains no reportable potential monetary impact.\n\n\n 7. Contractor:                                            10. Approvals:\n 8. Contract No.: _Division                                        Director/Date:                                                     j\n 9. Task Order No.:                                        Technical Advisor & D                                                  /\n\x0c   10/01/04    07:48 FAX 301 903 4656                                                 CAPITAL REGION                    4 FORS FIVEA                                     U002\n\n                                                        Office of the Inspector General (OIG)\n                                                   Audit Project Office Summary (APS)\n                                                                                                                                                                    Page 1\nReport run on:                        September 29, 2004 11:08 AM\n\n\n  iAudit#: A04TG032                 Ofc: ATA                      Titles FERCS FEDERAL INFORMATION SECURITY MGT ACT\n\n\n\n                                                           Planned                     End of Survey          Revised                  Actual\n                                                          ----------                  ---------           -------------------         ---------\n\n  ;Entrance Conferences.....                            01-OCT-03                                         21-JUN-04               21-JUN-04\n   Survey:..................\n   iDraft Report:............\n   Completed (With Report):.                             30-SEP-04                                        17-SEP-04               24-SEP-04                  (R      )\n\n   ------------ Elapsed Days:                                          365                                           88                     95\n                                                                                                                   Elap.        Less Susps\n\n   Date Suspended:                                                                Date Terminated:\n   iDate Reactivated:                                                             Date Cancelled:\n   :DaysSuspended(Cur/Tot):                                       (              )Report Number:          OAS-L-04-21\n   Rpt Title:                             Report Type:     LTR LETTER REPORT\n   EVALUATION OF "THE FEDERAL ENERGY REGULATORY COMMISSION\'S CYBER SECURITY PROGRAM - 2004"\n\n     .__\',        \xc2\xb7 J: \' * .1..*:.\n               \'* \'-\'      :\'*:\xc2\xb7: . : \' ; .: \xc2\xb7:.-: :__ :: \'   :\n                                                                  **   *: j i   a^.                                        .\xc2\xb7 \xc2\xb7 :ii     .... ....                                  .\n\n   iClass:     PER        PERFORMANCE\n   :Program:              Not Found\n   MgtChall: 005 NATIONAL SECURITY (F\n                                                                                                    AD:   530       MAJANE\n   Site:       SSA         SINGLE-SITE AUDIT\n                                                                                                  AIC: 725          LEGO\n                                                                                                       725          LEGO\n   |SecMiss:\n   jSecMiss:              Not Found\n                          Not Found                                                          Team AIC:\n                                                                                                  Ldr: 713          WEEBER\n   PresInit: EEG          EXPANDED ELECTRONIC                                                Tech Adv: 833          RUBB\n\n                    : .\n                 [ :.         ..*     *:       : :\xe2\x80\xa2\n                                                 " :::.:\' ,::..\n                                                              \'::\'....:\n                                                                  " "": ...\n                                                                         "i\'.:\n                                                                             .. ... "- :                   ~:.::.:\'    j i.: \'""\n                                                                                                                :: .::%"\n                                                                                                                      :..""      : .::;\n                                                                                                                             "::.:.                     . :. :..\n                                                                                                                                                    ::\'.:".  .\' i                      |\n\n        Task No:\n        Task Order Dt:                                                                CO Tech. Rep:\n        Orig Auth Hrs:                                                                Orig Auth Costs:\n         Current Auth:                                                                Current Auth Cost:\n         Tot Actl IPR Hr:                                                             Tot Actl Cost:\n\n                                                                                                   at                                                                      .S ..\n\n\n\n                     YI, J                                                      3.1          18-SEP-04\n                     WEEBER,               D                                 11.0            18-SEP-04\n                      REINES, C                                              17.3            18-SEP-04\n                      LEGO, H                                                17.4            18-SEP-04\n                      ANTHONY,             M                                 18.0            04-SEP-04\n                                    STotal: ______                           66.8        |\n\x0cS.10/01/04   07:49. FAX 301 903 4656          CAPITAL REGION               -, FORS FIVEA           ]004\n\n\n\n                                                                                       Attachment 4\n\n                           AUDIT DATABASE INFORMATION SHEET\n\n\n     1. Project No.: A04TG032\n\n     2. Title of Audit: Evaluation of "The Federal Energy Regulatory Commission\'s Cyber Security\n         Program - 2004"\n\n     3. Report No./Date: OAS-L-04-21/September 24,2004\n\n     4. Management Challenge Area: National Security\n\n     5. Presidential Mgmt Initiative: Expanded Electronic Government\n\n     6. Secretary Priority/Initiative: Information Technology Management\n\n     7. Program Code: Federal Energy Regulatory Commission\n\n     8. Location/Sites: Single-Site Audit/Federal Energy Regulatory Commission\n\n     9. Finding Summary: As.required by the Federal Information Security Management Act (FISMA),.\n        we performed an independent evaluation to determine whether the Federal Energy Regulatory\n        Commission\'s (Commission) unclassified cyber security program protected data and information\n        systems. Our evaluation revealed that the Commission made a number of improvements in its\n        cyber security program in areas such as certification and accreditation and contingency\n        planning. However, we did note that the Commission had completely tested only one of five\n        system-level contingency plans. Additionally, the Commission has not finalized its own risk\n        assessment methodology.\n\n      10. Keywords:        Federal Energy Regulatory Commission\n                           Federal Information Security Management Act\n                           Cyber Security\n                           Information Technology\n                           FERC\n                           FISMA\n\x0c  DOE F 1325.8\n    (8-89)\n  EFG(07-90)\n\n\nUnited States Government                                                                 Department of Energy\n\nMemorandum\n     DATE:       September 13, 2004\n REPLY TO:       IG-34 (A04TG032)                                     Audit Report No.: OAS-L-04-21\n SUBJECT:        Evaluation of "The Federal Energy Regulatory Commission\'s Cyber Security Program - 2004"\n\n       TO:       Chairman, Federal Energy Regulatory Commission\n\n\n             The purpose of this report is to inform you of the results of our annual evaluation of the\n             Federal Energy Regulatory Commissiods (Commission) unclassified cyber security program.\n             This evaluation was initiated in June 2004, and our field work was conducted through\n             September 2004. The audit methodology is described in the attachment to the report.\n\n             Introduction and Objective\n\n             The Commission\'s increasing reliance on information technology is consistent with satisfying\n             the President\'s Management Agenda initiative of expanding electronic government. The\n             Commission expects to invest $23.5 million on information technology related activities in\n             Fiscal Year 2004 to meet mission requirements of regulating interstate transmission of\n             natural gas, oil and electricity, and regulating gas and hydropower projects.\n\n             As required by the Federal Information Security Management Act (FISMA) and the Office of\n             Management and Budget (OMB) implementing guidance, the Office of Inspector General\n             performed an independent evaluation to determine whether the Commission\'s unclassified\n             cyber security program protected data and information systems.\n\n             Conclusions and Observations\n\n             Our evaluation revealed that the Commission had made a number of improvements in its\n             unclassified cyber security program. For instance, we found that the Commission had:\n\n                   * Finalized a certification and accreditation methodology in March 2004 and began an\n                     effort to certify and accredit all major applications and general support systems;\n\n                   * Utilized the National Institute of Standards and Technology Guide for self assessment\n                     of programs and systems; and,\n\x0c      *   Established a formal capital planning and investment control process.\n\nDespite these improvements, we noted that the Commission had not completed contingency\nplanning, risk management, and certification and accreditation of systems. For example, the\nCommission had developed system-level contingency plans for only three of five major\nsystems and had completely tested only one of the plans. Although the Commission used the\nNational Institute of Standards and Technology risk assessment methodology as required by\nFISMA, it had yet to finalize a risk assessment methodology tailored to its needs--a key step\nin determining current security vulnerabilities within an organization and implementing\nmitigating controls. Additionally, at the time of our review the Commission had only\ncompleted the certification and accreditation process for three of its five major applications\nand general support systems. Successful completion of these ongoing initiatives should help\ncorrect remaining cyber security problems at the Commission.\n\nSince no recommendations are being made in this letter report, a formal response is not\nrequired. We appreciate the cooperation of your staff throughout the audit.\n\n\n                                                       /S/\n                                           George W. Collard, Acting Director\n                                           Science, Energy, Technology,\n                                             and Financial Audits\n                                           Office of Audit Services\n                                           Office of Inspector General\n\n\nAttachment\n\n\ncc:       Executive Director, FERC\n          Chief of Staff, Department of Energy\n          Chief Information Officer, Department of Energy\n\x0c                                                                                   Attachment\n\n\nSCOPE AND METHODOLOGY.\n\nWe performed our evaluation between June and September 2004. We evaluated controls\nover network operations to determine the effectiveness of access controls related to\nsafeguarding information resources from unauthorized internal and external sources. The\nevaluation included a limited review of general and application controls in areas such as\ncertification and accreditation, access controls, application software development and change\ncontrols, and contingency planning.\n\nWe satisfied our evaluation objective by reviewing applicable laws and regulations\npertaining to cyber security and information technology resources, such as FISMA and OMB\nCircular A-130 (Appendix III), and reviewing the Commissiods overall cyber security\nprogram management, policies, and procedures. We also reviewed applicable standards and\nguidance issued by the National Institute of Standards and Technology. The Commission\'s\nheadquarters were evaluated in conjunction with the annual audit of the Department\'s\nConsolidated Financial Statements, utilizing work performed by KPMG LLP, the OIG\ncontract auditor. Their review included limited analysis and testing of general and\napplication controls for systems and a follow up review of the status of previously reported\nweaknesses.\n\nWe evaluated the Commission\'s implementation of the Government Performance Results Act\nof 1993 related to the establishment of performance measures for cyber security. We did not\nrely solely on computer-processed data to satisfy our objectives. Because our review was\nlimited, it would not have necessarily disclosed all internal control deficiencies that may have\nexisted at the time of our review.\n\nThe review was conducted in accordance with generally accepted Government auditing\nstandards for performance audits and included tests of internal controls and compliance with\nlaws and regulations to the extent necessary to satisfy the objectives. We held an exit\nconference with the management on September XX, 2004.\n\x0c'